If a lookup is inserted or
updated and meets the conditions, the Lookup business rule triggers this workflow.

About this task

The Threat Intelligence - Run IoC Lookup workflow checks
whether there is an unexpired observable and if so, the lookup is set to
Complete and updated with the data from the observable.
Any indicators associated with the observable are reactivated.

If the observable is expired, the workflow runs the lookups and increments the
Sighting count in the existing, expired observable.

If no correlating observable exists, a new observable with indicator is created.

Populate lookup with observable activity

If an unexpired observable is found, the Threat Intelligence Orchestration -
Populate lookup with observable workflow activity supplies data from an existing
observable to a lookup. This activity can accelerate the investigation and remediation
process.

When triggered by a workflow Populate lookup with observable attempts
to find an existing observable for a lookup that matches the value and
type of the lookup provided to the activity as input.

If the observable exists and is not expired, this activity:

Updates the lookup with the information found in the observable

Reactivates an indicator if it is inactive, increments the Encountered
count, and updates the Last seen date

Sets State to Complete.

Input variables

Input variables determine the initial behavior of the activity.

Table 1. Input variables

Variable

Description

scanID[string]

lookup identifier

Output variables

The output variables contain data that can be used in subsequent activities.

Table 2. Output variables

Variable

Description

True

Found valid observable and updated lookup.

False

Did not find valid observable. Observable is either missing or expired.

Perform IoC Lookup activity

The Threat Intelligence Orchestration - Perform IoC Lookup
workflow activity performs a given lookup. This activity can accelerate the investigation and
remediation process.

When triggered by a workflow, Perform IoC Lookup takes a scanID,
looks up the lookup record, and adds the lookup to the queue by creating a lookup queue
entry.

Input variables

Input variables determine the initial behavior of the activity.

Table 3. Input variables

Variable

Description

scanID[string]

lookup identifier

Output variables

The output variables contain data that can be used in subsequent activities.

Table 4. Output variables

Variable

Description

True

Triggered the lookup.

False

Did not trigger the lookup.

Update observable with lookup result activity

The Threat Intelligence Orchestration - Update observable with lookup
result workflow activity updates the observable record. If one does not exist, it
creates a new observable. This activity is useful for logging information.

When triggered by a workflow Update observable with lookup
result updates an existing observable to include the new Sighting
count, adds a note, and, if inactive, reactivates any indicators. The
Encountered count and Last seen date in the
indicator are also updated.

If no correlating observable exists, the workflow creates
a new observable with indicator as follows:

Runs the IoC lookups

Creates a new observable

Creates an indicator for the observable

Adds a Sighting count to the observable

Adds an Encountered count and Last seen
date to the indicator

Adds a message indicating from which lookup it was created

.

Input variables

Input variables determine the initial behavior of the activity.

Table 5. Input variables

Variable

Description

scanID[string]

Lookup identifier.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 6. Output variables

Variable

Description

True

Update or creation of observable is successful.

False

Update or creation of observable failed.

Run Default IoC Lookup Sources activity

When triggered by a workflow, Threat Intelligence - Run Default
IoC Lookup Sources takes in a lookup request ID and creates multiple lookups
depending on the entered data values.

For each data type, the include_in_bulk scan column of the
supported lookup type table of each lookup source is evaluated. If true, a lookup is added to the lookup
request.

Input variables

Input variables determine the initial behavior of the activity.

Table 7. Input variables

Variable

Description

scan_request_id

Lookup request system identifier

Output variables

The output variables contain data that can be used in subsequent activities.

If a lookup is inserted or
updated and meets the conditions, the Lookup business rule triggers this workflow.

About this task

The Threat Intelligence - Run IoC Lookup workflow checks
whether there is an unexpired observable and if so, the lookup is set to
Complete and updated with the data from the observable.
Any indicators associated with the observable are reactivated.

If the observable is expired, the workflow runs the lookups and increments the
Sighting count in the existing, expired observable.

If no correlating observable exists, a new observable with indicator is created.

Populate lookup with observable activity

If an unexpired observable is found, the Threat Intelligence Orchestration -
Populate lookup with observable workflow activity supplies data from an existing
observable to a lookup. This activity can accelerate the investigation and remediation
process.

When triggered by a workflow Populate lookup with observable attempts
to find an existing observable for a lookup that matches the value and
type of the lookup provided to the activity as input.

If the observable exists and is not expired, this activity:

Updates the lookup with the information found in the observable

Reactivates an indicator if it is inactive, increments the Encountered
count, and updates the Last seen date

Sets State to Complete.

Input variables

Input variables determine the initial behavior of the activity.

Table 1. Input variables

Variable

Description

scanID[string]

lookup identifier

Output variables

The output variables contain data that can be used in subsequent activities.

Table 2. Output variables

Variable

Description

True

Found valid observable and updated lookup.

False

Did not find valid observable. Observable is either missing or expired.

Perform IoC Lookup activity

The Threat Intelligence Orchestration - Perform IoC Lookup
workflow activity performs a given lookup. This activity can accelerate the investigation and
remediation process.

When triggered by a workflow, Perform IoC Lookup takes a scanID,
looks up the lookup record, and adds the lookup to the queue by creating a lookup queue
entry.

Input variables

Input variables determine the initial behavior of the activity.

Table 3. Input variables

Variable

Description

scanID[string]

lookup identifier

Output variables

The output variables contain data that can be used in subsequent activities.

Table 4. Output variables

Variable

Description

True

Triggered the lookup.

False

Did not trigger the lookup.

Update observable with lookup result activity

The Threat Intelligence Orchestration - Update observable with lookup
result workflow activity updates the observable record. If one does not exist, it
creates a new observable. This activity is useful for logging information.

When triggered by a workflow Update observable with lookup
result updates an existing observable to include the new Sighting
count, adds a note, and, if inactive, reactivates any indicators. The
Encountered count and Last seen date in the
indicator are also updated.

If no correlating observable exists, the workflow creates
a new observable with indicator as follows:

Runs the IoC lookups

Creates a new observable

Creates an indicator for the observable

Adds a Sighting count to the observable

Adds an Encountered count and Last seen
date to the indicator

Adds a message indicating from which lookup it was created

.

Input variables

Input variables determine the initial behavior of the activity.

Table 5. Input variables

Variable

Description

scanID[string]

Lookup identifier.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 6. Output variables

Variable

Description

True

Update or creation of observable is successful.

False

Update or creation of observable failed.

Run Default IoC Lookup Sources activity

When triggered by a workflow, Threat Intelligence - Run Default
IoC Lookup Sources takes in a lookup request ID and creates multiple lookups
depending on the entered data values.

For each data type, the include_in_bulk scan column of the
supported lookup type table of each lookup source is evaluated. If true, a lookup is added to the lookup
request.

Input variables

Input variables determine the initial behavior of the activity.

Table 7. Input variables

Variable

Description

scan_request_id

Lookup request system identifier

Output variables

The output variables contain data that can be used in subsequent activities.

Table 8. Output variables

Variable

Description

Number of scans created

Integer

Share this page

Feedback

Please rate the usefulness of this page

What would you like to tell us about this specific page?

Provide your email if you'd like us to respond

Provide your email if you'd like us to respond

Confirm

We were unable to find "Coaching" in
Jakarta.
Would you like to search instead?

SubscribeSubscribedUnsubscribeLast updated:Tags:JanuaryFebruaryMarchAprilMayJuneJulyAugustSeptemberOctoberNovemberDecemberNo Results FoundVersionsSearch preferences successfully updatedMy release version successfully updatedMy release version successfully deletedAn error has occurred. Please try again later.You have been unsubscribed from all topics.You are now subscribed toand will receive notifications if any changes are made to this page.You have been unsubscribed from this contentThank you for your feedback.Form temporarily unavailable. Please try again or contact
docfeedback@servicenow.com
to submit your comments.The topic you requested does not exist in therelease. You were redirected to a related topic instead.The available release versions for this topic are listedThere is no specific version for this documentation.Explore productsClick to go to thepage.Release notes and upgradesClick to open thedropdown menu.DeleteRemoveNo selected versionReset